RiskRecon scores $3 million seed round to provide objective cloud vendor security assessments

RiskRecon, a startup that helps companies make objective security assessments of third-party cloud vendors, emerged from stealth today with a $3 million seed round led by General Catalyst. Several unnamed private investors also participated in the round.

Jeff Martin of TD Bank Group was also named to the company’s board today.

RiskRecon leverages information that is available on the web from companies operating there as part of the act of doing business. “If you stand up web servers and DNS servers, these are intentionally discoverable because they are providing services on the internet. Systems reveal the software being run and version information from which you can determine security performance,” Kelly White, RiskRecon CEO and co-founder told TechCrunch.

RiskRecon can harvest that information, then measure and observe the vendor’s security posture, giving each company an objective security score — something companies tend to struggle with when evaluating cloud vendors.

“Security teams are currently well armed with personnel and tools and data in their own enterprises, but largely blind to the security and reliability of third parties,” White said.

RiskRecon does more than provide a simple score though. It also offers detailed actionable information when security gaps are found, so customers can work with the vendor to help them adhere to the security requirements.

When Deepak Jeevankumar, principal at General Catalyst did his due diligence prior to funding RiskRecon he found the company was attacking a problem without many solutions, and that’s something his firm looks for when evaluating companies to fund.

When he talked to CISOs (chief information security officers), he consistently heard that they had a budget for a service like this, but there were not enough viable solutions. When he combined that with the experience of the founders, initial validation from early customers and the potential to grow it led to investing in RiskRecon.

While White wouldn’t go into any great detail, he did hint that there is more to the platform than the initial security scorecard service, and he has plans to leverage the technology in the future to measure other types of things.

While there are other companies competing in the space, Jeevankumar said the most common method was trying to manually figure out a company’s security position,  an approach that’s not sustainable as companies are using ever-more cloud services and need a way to assess the security risk with each one quickly and reliably.

RiskRecon is still in early days with 10 employees. It has paying customers, although it wouldn’t reveal how many at this point.